IETF Logo Mail Archive

Re: [kitten] The Hashed-Token SASL Mechanism (SASL-HT)

Benjamin Kaduk <kaduk@mit.edu> Mon, 16 October 2017 02:51 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED96213339D for <kitten@ietfa.amsl.com>; Sun, 15 Oct 2017 19:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AIVTcQysqQaw for <kitten@ietfa.amsl.com>; Sun, 15 Oct 2017 19:51:24 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BF94126BF3 for <kitten@ietf.org>; Sun, 15 Oct 2017 19:51:24 -0700 (PDT)
X-AuditID: 1209190d-9c7ff70000006482-8e-59e41eaa58c8
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id E0.7C.25730.BAE14E95; Sun, 15 Oct 2017 22:51:23 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v9G2pLlm018024; Sun, 15 Oct 2017 22:51:22 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v9G2pHZ7020947 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 15 Oct 2017 22:51:19 -0400
Date: Sun, 15 Oct 2017 21:51:17 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Florian Schmaus <flo@geekplace.eu>
Cc: kitten@ietf.org, Peter Saint-Andre <stpeter@stpeter.im>, XMPP Standards <standards@xmpp.org>, Christoph Egger <egger@cs.fau.de>
Message-ID: <20171016025117.GL96685@kduck.kaduk.org>
References: <9913d71b-ae22-cc48-34b8-fb29fdf9a00c@geekplace.eu>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="9DptZICXTlJ7FQ09"
Content-Disposition: inline
In-Reply-To: <9913d71b-ae22-cc48-34b8-fb29fdf9a00c@geekplace.eu>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrDKsWRmVeSWpSXmKPExsUixCmqrbta7kmkwZ0DvBaP32tZfNtxk8ni 6OZVLBaPjs9nsTi2p5/ZgdVj5sa3jB6Hri5m81iy5CeTx9w9L5g97ngHsEZx2aSk5mSWpRbp 2yVwZWz6HFFwS7piwq7fzA2MR8S7GDk5JARMJObMvcMOYgsJLGaSmH7fpIuRC8jeyCjxY3s7 K4RzlUnix8EFLCBVLAKqEpdermAFsdkEVCQaui8zg9giAmoSZ5asYANpYBboYZSYvec/WIOw gL3EpPdHGUFsXqB1U6acZ4VYZy/RsquHGSIuKHFy5hOwemaBMomD394B2RxAtrTE8n8cIGFO AQeJ+xt2gJWLCihLzNu3im0Co8AsJN2zkHTPQuiGCGtJ3Pj3kglDWFti2cLXzBC2rcS6de9Z FjCyr2KUTcmt0s1NzMwpTk3WLU5OzMtLLdI10svNLNFLTSndxAiOHEneHYz/7nodYhTgYFTi 4V1x7nGkEGtiWXFl7iFGSQ4mJVHec60PI4X4kvJTKjMSizPii0pzUosPMaoA7Xq0YfUFRimW vPy8VCUR3r3STyKFeFMSK6tSi/JhyqQ5WJTEebcF7YoUEkhPLEnNTk0tSC2CycpwcChJ8F6U BWoULEpNT61Iy8wpQUgzcXAeYpTg4AEaPgGkhre4IDG3ODMdIn+KUZfj2KbLf5iEwC6QEue1 ASkSACnKKM2DmwNKhBLZ+2teMYoDvSjMOxGkigeYROEmvQJawgS05F3EA5AlJYkIKakGxpI5 Cxca5FjNOyhQuPCg0ptVObf02+wS4s7qnItadNqmml1p8gcet5ZZ39ZMvq6+wvqdhOyzktUR 8wsCj0wNMkz/snCzVreh4Am+Rw0sS/+qx5tdrpzjxqnGGZF6KmBHRr3Y7pS/NTFT1PQto+x7 cn7te8b5Ju7LmjvL55vpdtg2NS00v58dosRSnJFoqMVcVJwIAOw9plBfAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/sIiV19Jf5Ou9fSChDopJWo5aL7Y>
Subject: Re: [kitten] The Hashed-Token SASL Mechanism (SASL-HT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2017 02:51:26 -0000

On Fri, Sep 29, 2017 at 11:08:10AM +0200, Florian Schmaus wrote:
> I would like to note the existence of draft-schmaus-kitten-sasl-ht-01:
> 
> https://tools.ietf.org/html/draft-schmaus-kitten-sasl-ht-01

Thanks, I just got a chance to look it over.

[...]

> Thus we initially authenticate an XMPP session using a strong mechanism
> like SCRAM, but at resumption-time we want a single round trip
> mechanism. The basic idea of such a mechanism is that the client
> requests a short-lived, exclusively ephemeral token after being
> authenticated, which can be used to authenticate the resumption in an
> efficient manner.
[...]
> The SASL HT-* mechanism outlined is attempting to provide a reasonably
> secure authentication based around a token obtained over the application
> protocol, in a single round-trip. This single-round-trip is a key
> requirement. The proposal uses a single-use token as a shared secret,
> provides channel binding and mutual authentication.

There does seem to be some value in having a fast "session resumption"
SASL mechanism to avoid repeated reauthentication (though presumably there
should be some guidance to periodically require a full authentication;
various flows elsewhere do this on a month timescale, roughly).
It's a little unfortunate that this ends up requiring TLS for confidentiality
(as there is some desire to have standalone mechanisms), but that seems
to be an acceptable tradeoff for this sort of application.

Putting my kitten WG chair hat on for a moment, it does seem like this work
would be in scope with our current charter
(https://datatracker.ietf.org/doc/charter-ietf-kitten/), which gives us
a pretty wide berth for giving "guidance for any new SASL-related
submissions".  That said, it is not really appropriate for us to accept
new work without a critical mass of people willing to participate/review
that work.  This document seems simple and straightforward enough that
it would not take too much work to get it ready, but we would need
to find a couple more people who are willing to review it before we
could adopt it as a WG document.  (Noting the standards@xmpp cc, I'll
explictly state that since participation in IETF working groups is
entirely open, so there is no requirement of having previously been
a WG participant for this purpose.)

Without my chair hat, the document is a little rough in some places,
but it should be pretty straightforward to clean up.  I do appreciate
the reference to RFC 6919 in particular, but it should really only be
cited by other "April 1st" RFCs.

-Ben

v2.23.0 | Report a Bug | By Email